SSO - Single Sign-On
Intégration SSO/SAML 2.0/OIDC pour une authentification centralisee et sécurisée de vos equipes.
Fonctionnalites Cles
SAML 2.0 & OIDC
Support des deux standards majeurs d'authentification federee.
8 Providers Pre-configures
Azure AD, Okta, Google, Auth0, OneLogin, PingIdentity et plus.
MFA Adaptatif
Authentification multi-facteurs basee sur le risque (localisation, device, comportement).
Auto-provisioning
Creation automatique des comptes utilisateurs depuis votre IdP.
Identity Providers Supportes
| Provider | Protocol | Configuration |
|---|---|---|
| Microsoft Entra ID (Azure AD) | SAML 2.0 / OIDC | Pre-configuré |
| Okta | SAML 2.0 / OIDC | Pre-configuré |
| Google Workspace | OIDC | Pre-configuré |
| Auth0 | OIDC | Pre-configuré |
| OneLogin | SAML 2.0 | Pre-configuré |
| PingIdentity | SAML 2.0 / OIDC | Pre-configuré |
| JumpCloud | SAML 2.0 | Manuel |
| Custom IdP | SAML 2.0 / OIDC | Manuel |
Configuration SAML 2.0
1. Informations Service Provider (SP)
Utilisez ces informations pour configurer Adlibo comme Service Provider dans votre IdP.
# Metadata Adlibo (SP)
Entity ID: https://www.adlibo.com/saml/metadata/{org_id}
ACS URL: https://www.adlibo.com/saml/acs/{org_id}
SLO URL: https://www.adlibo.com/saml/slo/{org_id}
# Attributs requis
email: urn:oid:0.9.2342.19200300.100.1.3
firstName: urn:oid:2.5.4.42
lastName: urn:oid:2.5.4.4
groups: memberOf (optionnel)2. Configuration via Dashboard
Configurez votre IdP depuis le dashboard Enterprise.
// POST /api/saas/enterprise/sso
{
"providerType": "AZURE_AD",
"displayName": "Corporate Azure AD",
"saml": {
"entityId": "https://sts.windows.net/{tenant_id}/",
"ssoUrl": "https://login.microsoftonline.com/{tenant_id}/saml2",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
"signatureAlgorithm": "sha256",
"nameIdFormat": "email",
"attributeMapping": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
}
},
"allowedDomains": ["company.com", "subsidiary.com"],
"autoProvision": true,
"defaultRole": "MEMBER",
"groupMapping": {
"IT-Admins": "ADMIN",
"Security-Team": "ADMIN",
"Developers": "MEMBER"
}
}Configuration OIDC
// POST /api/saas/enterprise/sso
{
"providerType": "OKTA",
"displayName": "Corporate Okta",
"oidc": {
"issuer": "https://company.okta.com",
"clientId": "0oa...",
"clientSecret": "encrypted_secret",
"authorizationUrl": "https://company.okta.com/oauth2/v1/authorize",
"tokenUrl": "https://company.okta.com/oauth2/v1/token",
"userInfoUrl": "https://company.okta.com/oauth2/v1/userinfo",
"jwksUrl": "https://company.okta.com/oauth2/v1/keys",
"scopes": ["openid", "profile", "email", "groups"],
"responseType": "code",
"claimMapping": {
"email": "email",
"name": "name",
"groups": "groups"
}
},
"allowedDomains": ["company.com"],
"autoProvision": true
}MFA Adaptatif
Le MFA adaptatif analyse plusieurs facteurs de risque pour déterminer si une vérification supplementaire est nécessaire.
Localisation
Risque HIGHConnexion depuis un nouveau pays ou IP suspecte
Device
Risque MEDIUMNouvel appareil non reconnu ou non-géré
Temps
Risque LOWConnexion en dehors des heures habituelles
Comportement
Risque MEDIUMPatterns de navigation inhabituels
// Configuration MFA Adaptatif
{
"adaptiveMfa": {
"enabled": true,
"riskThreshold": "medium", // low, medium, high
"factors": ["location", "device", "time", "behavior"],
"actions": {
"low": "allow", // Score < 30: Pas de MFA
"medium": "mfa_required", // Score 30-70: MFA requis
"high": "block" // Score > 70: Bloquer + alerter
}
},
"mfaExemptGroups": ["Service-Accounts"]
}Intégration SDK
JavaScript/TypeScript
import { AdliboClient } from '@adlibo/sdk';
const client = new AdliboClient({ apiKey: process.env.ADLIBO_API_KEY });
// Initier le login SSO
const loginUrl = await client.sso.initiateLogin({
provider: 'AZURE_AD',
returnUrl: '/dashboard',
state: sessionId
});
// Rediriger l'utilisateur
window.location.href = loginUrl;
// Callback handler (apres retour de l'IdP)
app.get('/auth/callback', async (req, res) => {
const result = await client.sso.handleCallback({
code: req.query.code,
state: req.query.state
});
if (result.success) {
// Creer session locale
req.session.user = result.user;
res.redirect('/dashboard');
} else {
res.redirect('/login?error=' + result.error);
}
});Python
from adlibo import AdliboClient
client = AdliboClient(api_key="YOUR_API_KEY")
# Initier le login SSO
login_url = client.sso.initiate_login(
provider="OKTA",
return_url="/dashboard"
)
# Callback handler
@app.route("/auth/callback")
def sso_callback():
result = client.sso.handle_callback(
code=request.args.get("code"),
state=request.args.get("state")
)
if result.success:
session["user"] = result.user
return redirect("/dashboard")
return redirect(f"/login?error={result.error}")Mapping des Groupes
Mappez automatiquement les groupes de votre IdP vers les roles Adlibo.
| Groupe IdP | Role Adlibo | Permissions |
|---|---|---|
| Security-Admins | OWNER | Full access, billing, SSO config |
| IT-Team | ADMIN | User management, API keys, configs |
| Developers | MEMBER | Dashboard, alerts, API usage |
| Auditors | READONLY | View only, export reports |
Bonnes Pratiques Sécurité
Restreindre les domaines
Configurez allowedDomains pour limiter l'acces aux emails de votre organisation.
Activer le MFA Adaptatif
Le MFA adaptatif offre un bon equilibre sécurité/UX en ne demandant le MFA que lors de connexions a risque.
Rotation des certificats
Planifiez la rotation des certificats SAML avant expiration. Adlibo vous alerte 30 jours avant.
Documentation Associee
Besoin d'aide pour la configuration SSO ?
Notre équipe peut vous accompagner dans l'intégration de votre Identity Provider.